Jump to content

Unsafe Cookie - httponly


Claudia
 Share

Recommended Posts

"Your website uses unsafe cookies that can be read via JavaScript. In this way you give the possibility to an external attacker to access ex. to your customers' data during an open user session."

I'm a beginner, how can I solve this? The cookie to make sure is Session ID. I read that I can solve it with httponly, but how can I set this parameter? in the config.inc.php document? can you write step by step?

Share this post


Link to post
Share on other sites

Hello you can secure cookies with the following command in the .htaccess in
 <IfModule mod_rewrite.c>
<IfModule mod_env.c>
SetEnv HTTP_MOD_REWRITE On
php_value session.cookie_httponly 1
php_value session.cookie_secure 1
Header set Strict-Transport-Security: "max-age = 31536000; includeSubDomains; preload"
Header always set X-FRAME-OPTIONS "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Content-Security-Policy "frame-ancestors;"
Header always set X-Content-Security-Policy: "default-src 'none'; script-src 'self' https://code.jquery.com https://www.google-analytics.com; img-src ' self 'https://www.google-analytics.com; connect-src' self '; font-src' self '; style-src' self '; "
Header set Referrer-Policy "no-referrer, strict-origin-when-cross-origin"
Header always set X-Xss-Protection "1; mode = block"
</ IfModule>

this secures cookies as well as setting up all the security for an internet.
httponly; Strict-Transport-Security; X-FRAME-OPTIONS, X-Content-Type-Options, Content-Security-Policy, Referrer-Policy, X-Xss-Protection.
Then once in place go to https://securityheaders.io/. Enter the address of your website and you will validate all cookie security included.

if in doubt send me your .htaccess I integrate them and I forward it to you.

Share this post


Link to post
Share on other sites

hi, yes but this is the error:


 

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

Share this post


Link to post
Share on other sites

Quote

"Your website uses unsafe cookies that can be read via JavaScript. In this way you give the possibility to an external attacker to access ex. to your customers' data during an open user session."

Where did You received this message?

Share this post


Link to post
Share on other sites

  • 10 months later...
  • 5 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

Cookies ensure the smooth running of our services. Using these, you accept the use of cookies. Learn More